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Abstract. We propose the first deterministic algorithm that tolerates 
up to / byzantine faults in 3/ + 1-sized networks and performs in the 
asynchronous CORDA model. Our solution matches the previously es- 
tablished lower bound for the semi-synchronous ATOM model on the 
number of tolerated Byzantine robots. Our algorithm works under bounded 
scheduling assumptions for oblivious robots moving in a uni-dimensional 
space. 

1 Introduction 

Convergence is a fundamental agreement primitive in robot networks and is 
used in the implementation of a broad class of services {e.g. the construction 
of common coordinate systems or specific geometrical patterns). Given a set of 
oblivious robots with arbitrary initial locations and no agreement on a global 
coordinate system, convergence requires that all robots asymptotically approach 
the same, but unknown beforehand, location. Convergence is hard to achieve in 
asynchronous systems, when robots obtain information only via visual sensors, 
since they are unable to distinguish between a moving or a stationary robot. 
The problem becomes even harder when some robots are Byzantine {i.e. those 
robots can exhibit arbitrary behavior). In that case correct robots are required 
to converge independently of the behavior of the faulty ones. 

Robots operate in cycles that comprise look, compute, and move phases. The 
look phase consists in taking a snapshot of the other robots positions using its 
visibility sensors. In the compute phase a robot computes a target destination 
based on the previous observation. The move phase simply consists in moving 
toward the computed destination using motion actuators. The robots that we 
consider have weak capacities: they are anonymous (they execute the same proto- 
col and have no mean to distinguish themselves from the others) , oblivious (they 
have no memory that is persistent between two cycles), and have no compass 
whatsoever (they are unable to agree on a common direction or orientation). 

In order to capture the essence of distributed coordination in robot networks, 
two main computational models are proposed in the literature: the ATOM [13] 
and CORDA [11] models. The main difference between the two models comes 
from the granularity of the execution of the look- compute-move cycle. For the 
ATOM model, the cycle is atomic while in CORDA the atomicity concerns 
only the elementary phases in the cycle. That is, in the ATOM model, robots 



executing concurrently remain in the same phase (they arc synchronous or semi- 
synchronous) while in CORDA they are asynchronous {e.g. a robot may execute 
the look phase while another robot performs its move phase). 

Related works Since the pioneering work of Suzuki and Yamashita [13], gather- 
ing-'^ and convergence have been addressed in fault-free systems for a broad class 
of settings. Prencipe [11] studied the problem of gathering in both ATOM and 
CORDA models, and showed that the problem is intractable without additional 
assumptions such as being able to detect the multiplicity of a location (i.e., 
knowing if there is more than one robot in a given location). Flocchini et al. [9] 
proposed a gathering solution for oblivious robots with limited visibility in the 
CORDA model, where robots share the knowledge of a common direction given 
by a compass. The subsequent work by Souissi et al. [12] consider a system 
in which compasses are not necessarily consistent initially. In [2] the authors 
address convergence with limited visibility in fault-free environments. Conver- 
gence with inaccurate sensors and movements is addressed in [6]. Recently, in 
[14] the authors study the same problem under a uniform sensing error model. 
Ando et al. [2] propose a gathering algorithm for the ATOM model with limited 
visibility. 

The case of fault-prone robot networks was recently tackled by several aca- 
demic studies. The faults that have been investigated fall in two categories: 
crash faults {i.e. a faulty robots stops executing its cycle forever) and Byzantine 
faults {i.e. a faulty robot may exhibit arbitrary behavior and movement). Of 
course, the Byzantine fault model encompasses the crash fault model, and is 
thus harder to address. Deterministic fault-tolerant gathering is addressed in[l] 
where the authors study a gathering protocol that tolerates one crash, and an 
algorithm for the ATOM model with fully synchronous scheduling that tolerates 
up to / byzantine faults, when the number of robots is (strictly) greater than 
3/. In [7] the authors study the feasibility of probabilistic gathering in crash- 
prone and Byzantine-prone environments. Deterministic fault-tolerant conver- 
gence was first addressed in [4, 5], where algorithms based on convergence to the 
center of gravity of the system are presented. Those algorithms work in CORDA 
model and tolerate up to / (n > /) crash faults, where n is the number of robots 
in the system. Most realted to this paper is [3] , where the authors studied conver- 
gence in byzantine-prone environments when robots move in a uni-dimensional 
space. In more details, [3] showed that convergence is impossible if robots are 
not endowed with strong multiplicity detectors which are able to detect the ex- 
act number of robots that may simultaneously share the same location. The 
same paper defines the class of cautious algorithms which guarantee that cor- 
rect robots always move inside the range of positions held by correct robots, 
and proved that any cautious convergence algorithm that can tolerate / Byzan- 
tine robots requires the presence of at least 2/ + 1 robots in fully-synchronous 
ATOM networks and 3/ -I- 1 robots in semi-synchronous ATOM networks. The 

^ Gathering requires robots to actually reach a single point within finite time regardless 
of their initial positions. 
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ower bound for the ATOM model naturally extends to the CORDA model, yet 
the protocol proposed in [3] for the asynchronous CORDA model requires at 
least 4/ + 1 robots. 



Reference 


Model 


Faults 


Bounds 


[6] 


ATOM 


inaccurante sensors 
movements and calc. 




[1] 


ATOM 


crash 


/ = 1 




FuUy-sync. ATOM 


Byzantine 


n>3/ 


[4] 


ATOM 


crash 


n>f 


[5] 


CORDA 


crash 


n> f 


[3] 


FuUy-Sync ATOM 


Byzantine 


n>2f 




ATOM 


Byzantine 


n>3f 




CORDA 


Byzantine 


n>4f 


This paper 


CORDA 


Byzantine 


n>3f 



Table 1. Crash and byzantine resilience bounds for deterministic gathering and con- 
vergence 



Table 1 summarizes the results related to crash and byzantine resilience of 
gathering and convergence deterministic protocols that are known in robot net- 
woks. The bold values denote the least specialized (and more difficult) hypothe- 
ses. 

Our contributions In this paper we consider the class of cautious algorithms, 
which guarantees that correct robots always move inside the range of positions 
held by correct robots. In this class, we propose an optimal (with respect to 
the number of Byzantine robots) Byzantine resilient solution for convergence 
when robots execute their actions in the CORDA model. That is, our solution 
tolerates / byzantine robots in 3/ -|- 1-sized networks, which matches the lower 
bound presented in [3] for the class of cautious algorithms. 

Outline The remaining of the paper is organized as follows: Section 2 presents our 
model and robot network assumptions. Section 3 presents the formal specification 
of the convergence problem and recalls and necessary and sufficient conditions to 
achieve convergence in Byzantine prone systems. Section 4 describes our protocol 
and its complexity, while concluding remarks are presented in Section 5. 

2 Model 

Most of the notions presented in this section are borrowed from[13, 10, 1]. We 
consider a network that consists of a finite set of robots arbitrarily deployed 
in a uni-dimensional space. The robots are devices with sensing, computing and 
moving capabilities. They can observe (sense) the positions of other robots in the 
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space and based on these observations, they perform some local computations 
that can drive them to other locations. 

In the context of this paper, the robots are anonymous, in the sense that 
they can not be distinguished using their appearance, and they do not have 
any kind of identifiers that can be used during the computation. In addition, 
there is no direct mean of communication between them. Hence, the only way 
for robots to acquire information is by observing their positions. Robots have 
unlimited visibility, i.e. they are able to sense the entire set of robots. Robots are 
also equipped with a strong multiplicity sensor referred to as multiples detector 
and denoted hereafter by Ai. This sensor provides robots with the ability to 
detect the exact number of robots that may simultaneously occupy the same 
location^. We assume that the robots cannot remember any previous observation 
nor computation performed in any previous step. Such robots are said to be 
oblivious (or m,emoryless) . 

A protocol is a collection of n programs, one operating on each robot. The 
program of a robot consists in executing Look- Compute-Move cycles infinitely 
many times. That is, the robot first observes its environment (Look phase). An 
observation returns a snapshot of the positions of all robots within the visibility 
range. In our case, this observation returns a snapshot (also called configuration 
hereafter) of the positions of all robots denoted with P{t) = {Pi{t), ...,P„(t)}. 
The positions of correct robots are referred as U{t) = {Ui{t), Um{t)} where 
m denotes the number of correct robots. Note that U{t) C P{t). The observed 
positions are relative to the observing robot, that is, they use the coordinate 
system of the observing robot. We denote by P*(t) = {Pl{t), P^(t)} the con- 
figuration P{t) given in terms of the coordinate system of robot i {U^{t) is 
defined similarily). Based on its observation, a robot then decides — according 
to its program — to move or stay idle (Compute phase). When an robot de- 
cides a move, it moves to its destination during the Move phase. An execution 
e = (co, . . . , Ct, . . .) of the system is an infinite sequence of configurations, where 
Co is the initial configuration'^ of the system, and every transition Ci Cj+i is 
associated to the execution of a subset of the previously defined actions. 

A scheduler is a predicate on computations, that is, a scheduler define a set 
of admissible computations, such that every computation in this set satisfies the 
scheduler predicate. A scheduler can be seen as an entity that is external to the 
system and selects robots for execution. As more power is given to the scheduler 
for robot scheduling, more different executions arc possible and more difficult it 
becomes to design robot algorithms. In the remaining of the paper, we consider 
that the scheduler is k-bounded if, between any two activations of a particular 
robot, any other robot can be activated at most k times^. 



^ In [3], it is proved that M. is necessary to deterministically solve the convergence 

problem in a uni-dimensional space even in the presence of a single Byzantine robot. 
^ Unless stated otherwise, we malce no specific assumption regarding the respective 

positions of robots in initial configurations. 
* Note that [3] proves the impossibility result with n = 3/ robots using a 2-bounded 

scheduler. 
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We now review the main differences between the ATOM [13] and CORDA [10] 
models. In the ATOM model, whenever a robot is activated by the scheduler, 
it performs a full computation cycle. Thus, the execution of the system can be 
viewed as an infinite sequence of rounds. In a round one or more robots are acti- 
vated by the scheduler and perform a computation cycle. The fully-synchronous 
ATOM model refers to the fact that the scheduler activates all robots in each 
round, while the semi-synchronous ATOM model enables the scheduler to ac- 
tivate only a subset of the robots. In the CORDA model, robots may be in- 
terrupted by the scheduler after performing only a portion of a computation 
cycle. In particular, actions (look, compute, move) of different robots may be 
iiiterkuivcd. For example, a robot a may perform a look phase, then a robot 
b performs a look-compute-move complete action, then a computes and moves 
based on its previous observation (that does not correspond to the current con- 
figuration anymore). As a result, the set of executions that arc possible in the 
CORDA model are a strict superset of those that are possible in the ATOM 
model. So, an impossibility result that holds in the ATOM model also holds in 
the CORDA model, while an algorithm that performs in the CORDA model is 
also correct in the ATOM model. Note that the converse is not necessarily true. 

The faults we address in this paper are Byzantine faults. A byzantine (or 
malicious) robot may behave in arbitrary and unforeseeable way. In each cycle, 
the scheduler determines the course of action of faulty robots and the distance 
to which each non-faulty robot will move in this cycle. However, a robot is 
guaranteed to move a distance of at least S towards its destination before it can 
be stopped by the scheduler. 

Our convergence algorithm performs operations on multisets. A multiset or 
a bag S is a generalization of a set where an element can have more than one 
occurence. The number of occurences of an element a is referred as its multi- 
plicity and is denoted by mul{a). The total number of elements of a multiset, 
including their repeated occurences, is referred as the cardinality and is denoted 
by [51. min(S')(resp. max(S')) is the smallest (resp. largest) element of S. If S is 
nonempty, range{S) denotes the set [min(5'), max(S')] and diam{S) (diameter 
of S) denotes max(S') — min(6'). 

3 The Byzantine Convergence Problem 

Given an initial configuration of n autonomous mobile robots (m of which are 
correct such that m > n — f), the point convergence problem requires that all 
correct robots asymptotically approach the exact same, but unknown before- 
hand, location. In other words, for every 6 > 0, there is a time t^ from which all 
correct robots are within distance of at most e of each other. 

Definition 3.1 (Byzantine Convergence). A system of oblivious robots sat- 
isfies the Byzantine convergence specification if and only if\/e > 0,3te such that 

\ft > te, V i,j < m, distance{Ui{t), Uj{t)) < e, where Ui{t) and Uj{t) are the po- 
sitions of some correct robots i and j at time t, and where distance{a,b) denote 
the Euclidian distance between two positions. 
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Definition 3.1 requires the convergence property only from the correct robots. 
Note that it is impossible to obtain the convergence for all robots since Byzantine 
robots may exhibit arbitrary behavior and never join the position of correct 
robots. 

In the following we recall the necessary conditions to achieve convergence in 
systems prone to Byzantine failures. We first focus on the definition of shrinking 
algorithms (algorithms that eventually decrease the range between any two cor- 
rect robots). In [3] is proved that this condition is necessary but not sufficient 
for convergence even in fault-free environments. We then recall the defintion of 
cautious algorithms (algorithms that ensure that the position of correct robots 
always remains inside the range of the correct robots). This condition combined 
with the previous one is sufficient to reach convergence in fault-free systems [3] . 

By definition, convergence aims at asymptotically decreasing the range of 
possible positions for the correct robots. The shrinking property captures this 
property. An algorithm is shrinking if there exists a constant factor a € (0, 1) 
such that starting in any configuration the range of correct robots eventually 
decreases by a multiplicative a factor. 

Definition 3.2 (Shrinking Algorithm). An algorithm is shrinking if and 

only if 3a G (0. 1) such that Vt, 3t' > t, such that diam{U{t')) < a*diam{U{t)), 
where U{t) is the multiset of positions of correct robots. 

A natural way to solve convergence is to never let the algorithm increase the 
diameter of correct robot positions. In this case the algorithm is called cautious. 
This notion was first introduced in [8]. A cautious algorithm is particularly ap- 
pealing in the context of Byzantine failures since it always instructs a correct 
robot to move inside the range of the positions held by the correct robots regard- 
less of the locations of Byzantine ones. The following definition introduced first 
in [3] customizes the definition of cautious algorithm proposed in [8] to robot 
networks. 

Definition 3.3 (Cautious Algorithm). Let Di(t) the last destination calcu- 
lated by the robot i before time t and let U^{t) the positions of the correct robots as 
seen by robot i before time t. ^ An algorithm is cautious if it meets the following 
conditions: 

— cautiousness: Vt, Di{t) G range{U"'{t)) for each robot i. 

— non-triviality: Vt, if diameter {U{t)) ^ then 3t' > t and a robot i such 
that Di{t') ^ Ui{t') (at least one correct robot changes its position). 

The following theorem will be further used in order to prove the correctness 
of our convergence algorithm. 

Theorem 3.1 [3] Any algorithm that is both cautious and shrinking solves the 
convergence problem in fault-free robot networks. 

® If the last calculation was executed at time t' <t then D<(t) = Di{t'). 
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4 Deterministic Asynchronous Convergence 



In this section we propose a deterministic convergence algorithm and prove its 
correctness in the CORDA model under a k-bounded scheduler. The idea of 
Algorithm 1 is as follows: each robot computes the median of the positions of 
the robots seen in its last Look phase ignoring the / largest positions if they 
are larger than his own position and the / smallest positions if they are smaller 
than his own position. 

Algorithm 1 uses two functions, trim^O and centerQ. The choice of the 
function trimy{) makes the difference between this algorithm and that of [3]. 
Indeed, in [3] the trimming function removes the / largest and the / smallest 
values from the multiset given in parameter. That is, the returned multiset docs 
not depend on the position of the calling robot. In Algorithm 1, trimyO removes 
among the / largest positions only those that are greater than the position of 
the calling robot i. Similarly, it removes among the / smallest positions only 
those that are smallest than the position of the calling robot. 

Formally, let minindexi be the index of the minimum position between Pj {t) 

and Pj_|_i(t) (if Pi{t) < Pf-^-i{t) then minindexi is equal to i, otherwise it is 
equal to / + 1). Similarily, let maxindexi be the index of the maximum position 
between Pi{t) and (if Pi{t) > Pn-f{t) then maxindexi is equal to i, 

otherwise it is equal ton — f). trimy{P{t)) is the multiset consisting of positions 

{Pminindexiit) T Pminindexi + l{t) , Pmaxindexiit)} ■ CBTlterQ returns the median 

point of the input range. The two functions are illustrated in Figure 1) . 



Fig. 1. Illustration of functions trimj and center for robots A and B. 



In the following we prove the correctness of Algorithm 1 in the CORDA model 
under a fc-boundcd scheduler. In order to show that Algorithm 1 converges, we 
prove first that it is cautious then we prove that it satisfies the specification of 
a shrinking algorithm. Convergence then follows from Theorem 3.1. 
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Algorithm 1 Byzantine Tolerant Convergence 



Functions: 

- trim'f{P{t)): removes up to / largest positions tliat are larger than Pi{t) and up 
to / smallest positions that are smaller than Pi{t) from the multiset P(t) given in 
parameter. 

- center: returns the point that is in the middle of the range of points given in 
parameter. 

Actions: 

move towards center {trim^f{P{t))) 



4.1 Algorithm 1 is cautious 

In this section we prove that Algorithm 1 is a cautious algorithm (see Definition 
3.3) for n > 3/. The following lemma states that the range of the trimmed 
multiset trim^j^{P{t)) is contained in the range of correct positions. 

Lemma 4.1 Let i be a correct robot executing Algorithm 1, it holds that 

range{trim^f{P{t))) C range{U{t)) 

Proof. We prove that for any correct robot, i, the following conditions hold: 

1. Vt min{trim){P{t))) € range{U{t)). 

2. Mt max{trim){P{t))) e range{U{t)). 

1. By definition, min{trim^^{P{t))) = min{Pi{t), P/+i(t)}. Hence proving Prop- 
erty (1) reduces to proving Pi{t) G range{U{t)) and P/+i(t) G range{U{t)). 
Similarly, proving property (2) reduces to proving Pi{t) £ range{U{t)) and 
Pn-fit) e range{U{t)) 

— Pi{t) G range{U{t)) directly follows from the assumption that robot i is 
correct. 

— Pf^i(t) G range(U(t)). Suppose the contrary: there exists some time 
instant t such that Pf+i{t) ^ range{U{t)) and prove that this leads to a 
contradiction. If P/+i(f) ^ range{U{t)) then either P/+i(f) < Ui{t) or 
P/+i(i) > U^{t). 

• If Pf+i{t) < Ui{t) then there are at least / + 1 positions {Pi(t), 

P2{t), . ■ . , Pf{t), Pf+i{t)} that are smaller than Ui{t) which is the 
first correct position in the network at time t. This means that there 
would be at least / + 1 byzantine robots in the system. But this 
contradicts the assumptions that at most / byzantine robots are 
present in the system. 

• If Pf+i{t) > Um{t) then since n > 3/ there are more than / positions 
{Pf{t),Pf+i{t), ...,Pn{t)} that arc greater than Um{t), which is the 
last correct position in the system at time t. This also leads to a 
contradiction. 
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2. In the following we prove that Pi{t) € range{U{t)) and Pn-f{t) G range{U{t)). 

— Pi{t) E range{U{t))smce robot i is correct. 

— Pn-f{t) G range{U{t)). Assume the contrary: there exists some time 
instant t such that Pn-f{t) ^ range{U{t)) and prove that this leads to a 
contradiction. If Pn-f{t) ^ range{U{t)) then either Pn-f{t) < Ui{t) or 
Pn-fit) > Umit). 

• If Pn-f{t) > Um{t) then there are at least / + 1 positions {P„_/(t), 

Pn-i{t), Pn{t)} that are greater than Um{t) which is the last 
correct position in the network at time t. It follows that there would 
be at least / + ! byzantine robots in the system which contradicts the 
hypothesis on the maximal number of faulty robots in the system. 

• If Pn-f{t) < Ui{i) then since n > 3f there are more than / positions 
{Pi{t), P2{t), Pn-f{t)} that are smaller than Ui{t), which is the 
first correct position in the system at time t. This also leads to a 
contradiction. 

A direct consequence of the above property is that correct robots always 
compute a destination within the range of positions held by correct robots, 
whatever the behavior of Byzantine ones. Thus, the diameter of positions held 
by correct robots never increases. Consequently, the algorithm is cautious. The 
formal proof is proposed in the following lemma. 

Lemma 4.2 Algorithm 1 is cautious for n > 3/. 

Proof. According to Lemma 4.1, range{trim'j{P{t))) C range{U{t)) for each 
correct robot i, thus center {trim'^j:{P{t))) G range{U (t)). It follows that all desti- 
nations computed by correct robots are located inside range{U{t)) which proves 
the lemma. 

4.2 Algorithm 1 is shrinking 

In this section we prove that Algorithm 1 is a shrinking algorithm (see Defini- 
tion 3.2) The following lemma states that a robot can not compute a destination 
that is far from its current position by more than half the diameter of correct 
positions. More specifically, a robot located on one end of the network can not 
move to the other end in a single movement. 

Interestingly, the property of lemma 4.3 is guaranteed even though robots are 
not able to figure out the range of correct positions nor to compute the corre- 
sponding diameter. The bound on the movements of robots is achieved by taking 
into account the position of the calling robot when computing the trimming func- 
tion. It is important to note that if all robots compute their destinations using 
the same trimming function irrespective of the position of the calling robot, con- 
vergence requires the presence of more than 4/ robots to tolerate the presence 
of up to / Byzantine robots [3] . 

Lemma 4.3 Vt, Vi, correct robot, if i computes its destination point at time t, 
then at t, distance{U-{t), Di(t)) < diameter {W{t))/ 2 
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Proof. Suppose the contrary: distance{U-{t), Di{t)) > diameter {U^{t))/ 2 for 
some robot i at time t. Assume without loss of generality that U^{t) < Di{t) 
(the other case is symmetric). So Ul{t) < Di{t) + diameter {U^{t))/ 2 and we 
prove that this is impossible. 

Recall that Di{t) is the center of trim^f{P{t)) which implies that if there ex- 
ists some point p G trim^j{P{t)) with p < Di{t) such that distance{p, Di{t)) > 
diameter{U{t))/2, then there must exist another point q G trimy{P{t)) with 
q > Di{t) such that distance{Di{t),q) > diameter{U{t))/2. This implies that 
distance{p,q) > range{U^ (t)) . Since both p and q belong to trimy{P{t)) then 
diameter {trimy{P{t)) > distance{p,q) > diameter{U^{t)). This contradicts 
lemma 4.1 which states that range{trim^f{P{i)) C range{U{t)). 

The following lemmas describe some important properties on the destination 
points computed by correct robots which will be used in proving the shrink- 
ingness of Algorithm 1. These properties are verified whatever the positions of 
Byzantine robots are, and thus they capture the limits of the influence of Byzan- 
tine robots on the actions undertaken by correct robots. 

The next lemma shows that the correct positions {J7/+i(t), Um-f{t)} are 
always included in the trimmed range (the output range of the function trim^) 
regardless of the positions of Byzantine robots. 

Lemma 4.4 It holds that range{trimf{U{t))) C range{trim,f{P{t))) . 
Proof. We prove that: 

1. \/t Uf+i(t) e range{trimf{P{t))). 

2. Vt Ujn-f{t) e range{trimf{P{t))). 

1. Suppose that Uf^i{t) ^ range{trim j {P{t))) . Then either 

Uf+i{t) < mm{trimf{P{t))) 

or 

Uf+i(t) > ui&K{trimf{P{t))) 

— If Ufj^\{t) < m.m{trimf{P{t))) then there are at least f + I positions 
{Ui{t), Uf+i{t)} which are smaller than mm(trimf{P{t))). This con- 
tradicts the definition of trimf{P(t)) (at most / among the smallest 
elements of P{t) are removed). 

— If Uf+i{t) > max{trim.f{P{t))) and since \U{t)\ > 2/ (because n > 
3/), then there are also at least f + 1 positions in U{t) greater than 
max{trimf{P{t))), which also leads to a contradiction. 

2. The property is symmetric to the precedent one. 

Let D{t) be the set of destinations computed with Algorithm 1 in systems 
with n > 3/, and let U D(t) be the union of U {t) and D{t). If a robot i executed 
its last Look action at time t' < t, then UD^{t) = UD{t'). The following lemma 
proves that the destination computed by each correct robot i is always within the 
range [{min{U D"- {t)) + U^_f{t))/2, {U}^i{t) + max{UD'{t)))/2] independently 
of the positions of Byzantine robots. 
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Lemma 4.5 The following properties hold: 

Vi, each destinaMon point calculated, by a correct robot i at time t is (1) smaller 
than {U)^-^{t)+max{UD\t)))/2 and (2) greater than {min{UD'{t))+W^_j:{t))/2. 

Proof. Let di be the distance between Uj_^_i{t) and max{UD^{t)). 

1. Wc suppose the contrary: there exists some calculated destination point 
by some correct robot i at time t such that 

A > (t//+i(t) + max{UD\t)))/2 
and we prove that this leads to a contradiction. 

A > {U}+-^{t)+max{UD'{t)))/2 
implies that Uj_^_i{t) < Di — d\/2. And by Lemma 4.4, f/j_|_j(t) is inside 

range{trim){P'' {t))) 

which means that there is a position inside range{trim^j{P^{t))) which is 
smaller than D^ — di/2. Hence there must exists a position inside 

range{trim){P\t))) 

say p, such that p > Di + d\/2 because A is the center of trim^^{P^{t)). 
Uf_^_i{t) < Di — d\/2 and p> A + implies that distance{Uf+-i{t),p) > 
distance{Uf+i{t),max{UD^{t)) which in turn implies that p > max{UD^{t)). 
But p G range{trimy{P^ {t))) , it follows that 

max{trim){P\t))) > max{UD\t)) 

which contradicts Lemma 4.1 and thereby proves our lemma. 

2. Symmetric to the precedent property. 

Lemma 4.6 Let S{t) be a multiset of f + I arbitrary elements of U(t). The 
following properties hold: (1) Vt, Uf+i{t) < max(5'(t)) and (2) Vi, Um-j{t) > 
mm{S{t)) 

Proof. 1. Assume the contrary: Uf+i{t) > max(5(t)). This means that Uf+i{t) 
is strictly greater than at least / + 1 elements of U(t), which leads to a 
contradiction {Uf+i{t) is by definition the (/ + l)-th correct position in 
U{t)). 

2. The property is symmetric to the precedent. 

The next lemma generalizes and extends the properties of Lemmas 4.4 and 
4.5 (proven for a fixed time instant) to a time interval. It describes bounds on 
the destination points computed by correct robots during a time interval [ti , t2\ ■ 
It states that if there is a subset of / + 1 robots whose positions are less than 
Smax during [tl,i2], then all destinations computed during [tl,<:2] by all correct 
robots in the network are necessarily smaller than [Smax + Max{UD{ti)))/2. 
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Lemma 4.7 Let a time t2 > ti and let S{t) be a multiset 0/ / + 1 arbitrary 
elements in U(t). IfVp S S{t) andVt £ [ii,t2] P < Smax then all calculated desti- 
nation points at time interval [ti,t2] are smaller than {Smax + Max{UD{ti)))/2. 

Proof. By definition of Smax wc have that Vt £ [ti,t2],max{S{t)) < Smax- 
According to Lemma 4.6, \/t G [^1,^2] Uf+i{t) < max{S{t)). So € [ii,i2], 

By Lemma 4.5, each calculated destination point by each correct robot 
i at time interval [ti,t2] is smaller than (J7|_,_^(t) + max{UD{t)))/2, so be- 
cause Uf+i{t) < Smax these destinations points are also smaller than {Smax + 
max{UD{t)))/2 . Since the algorithm is cautious, Vi,Vt € [ti,t2] max{UD{t)) < 
max{UD{ti)) and the lemma follows. 

The next Lemma states that if some calculated destination point is in the 
neighborhood of one end of the network, then a majority of m — / correct robots 
are necessarily located in the neighborhood of this end. 

Lemma 4.8 If some correct robot i executes its Look action at time t and then 

compute ( in the Compute action which immediatly follows ) a destination Di such 
that Di < min{UD[t))+b (withb any distance smaller than diameter {UD[t))/ 2), 
then at t, there are at least m — f correct robots whose positions are (strictly) 
smaller than min{UD{t)) + 26. 

Proof. We prove first that at t, max{trim^^{P{t))) <= min{UD{t))+2b. Accord- 
ing to Lemma 4.1, min{trim^j{P{t))) > min{U D{t)). And we have by hypothesis 
that Di < min{UD{t)) + b. This gives us A < min{trim)\P{t))) + b. But A 
is the center oi trim^j{P{t)) which means that distance{Di,min{trim^^ {P{t)))) 
must be equal to distance[Di,max{trinfj{P{t)))). Thus, max{trimy{P{t)))) < 
Di + b. And since by hypothesis D, < min{U D{t)) + b, we have 

max{trim){P{t)))) < min{UD{t)) + 2b 

which means that at t there are at most / correct positions greater than 

min{U D{t))+2b, and by definition no correct position is smaller than min{UD{t)) 
It follows that at t, the range [min{UD{t)), min{U D(t)) +26) contains at least 
m — f correct positions. 

We are now ready to give the proof of shrinkingness of our algorithm in the 
CORDA model. The general idea of the proof is to show that the destination 
points computed by correct robots are located either around the middle of the 
range of correct positions or /and in the neighborhood of only one end of this 
range. 

If all computed destinations are located around the middle of the range of 
correct robots then the diameter of this range decreases and the algorithm is 
shrinking. Otherwise, if some computed destinations arc located in the neigh- 
borhood of one end of the range, it is shown that there is a time at which no 
correct robot will be in the neighborhood of the other end of the range, which 
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leads again to a decrease in the range of correct positions and shows that the 
algorithm is shrinking. 

In this section we address the correctness of Algorithm 1 in the CORDA 
model under a fc-bounded scheduler. Our proof is constructed on top of the 
auxiliary lemmas proposed in the previous section. 

Lemma 4.9 Algorithm 1 is shrinking in the CORDA model with n> 3f under 
a k-bounded scheduler. 

Proof. Let U{to) = {Ui{to), U„i{tf))} be the configuration of correct robots at 
initial time to and D{ta) = {-Di(fo), -Dm(^o)} the multiset of their calculated 
destination points at the same time to and UD{to) is the union of J7(to) and 
D{to). Let ti be the first time at which all correct robots have been activated 
and executed their Compute cycle at least once since to {U{ti) and D{ti) are 
the corresponding multisets of positions and destinations). Assume that robots 
are ordered from left to right and define do and d\ as their diameters at to 
and ti respectively. Since the model is asynchronous, the diameter calculation 
takes into account both the positions and the destinations of robots. So do = 
diameter {UD {to) and di = diameter{UD{ti)). Let b be any distance that is 
smaller than (io/4, for example take b = do/lO. 

We consider the actions of correct robots after t\ and we separate the analysis 
into two cases: 

— Case A: All calculated destinations by all correct robots after ti are inside 
[min{U D{to)) + b,max{UD{to)) — b]. So when all correct robots are acti- 
vated at least once, their diameter decreases by at least min{2(5, 2b = do/5}. 
Thus by setting ai = max{l — 2S/do,4:/5}, the algorithm is shrinking. 

— Case B: Let t2 > ti be the first time when a robot, say i, execute a Look 
action such that the Compute action that follows compute a destination 
point, say Di, that is outside [min{UD{to)) + b,max{UD{to)) — b]. This 
implies that either (Di < min{UD{to)) + b) or {Di > max{UD{to)) — b). 
Since the two cases are symmetric, we consider only the former which implies 
according to Lemma 4.8 that the range [min{UD{tQ)),min{UD{to)) + 26] 
must contain at least m — f correct positions. 

If some robots among these m — f robots are executing a Move action, their 
destination points have necessarily been calculated after to (since at ti each 
robot has been activated at least once). And we have by lemma 4.3 that 
the distance between each robot and its destination can not exceed half the 
diameter, so we conclude that at t2 the destination points of these m — f 
robots are all inside [min{UD{to)),min{UD{tQ)) + 5 + (io/2]. 
Let S{t2) be a submultiset of UD{t2) containing the positions and destina- 
tions of / -|- 1 arbitrary robots among these m — f whose positions and desti- 
nations are inside [min{UD{to)),Tnin{UD{tQ))+b+dQ/2]. So max{S {t2)) <= 
min{U D {to)) +b+ do/ 2. And since we choosedb < (io/4, we have max(5(t2)) < 
max{UD{to)) — 3do/4. Let ts > t2 be the first time each correct robot in the 
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system has been activated at least once since t2- We prove in the following 
that at ^3, max(S'(i3)) < max{UD{to)) - 3do/2'=(-'^+i)+2. 
To this end we show that the activation of a single robot of S{t) can not 
reduce the distance between the upper bound of max{S) and max{U D{to)) 
by more than half its precedent value, and since the scheduler is k-bounded, 
we can guarantee that this distance at is at least equal to 2,do/2^^f^^'>'^'^ . 
According to Lemma 4.5, if some robot i calculates its destination Di at time 
t G [^2,^3], A < {Uf+i{t) +max(UD{t)))/2. But Uf+i{t) < max{S{t)) by 
Lemma 4.6 and max{UD{t)) <= max{UD(to)) due to cautiousness. This 
gives us Di < {max{S{t) + max{UD{to)))/2. Therefore, an activation of a 
single robot in S{t) to execute its Compute cycle can reduce the distance 
between Max{UD{to)) and max{S{t)) by at most half its precedant value. 
So at t3, after a maximum of k activations of each robot in S{t), we have 
max{S{h)) <= Max{UD{ta)) - 3do/2'=(/+i)+2, and by Lemma 4.7, all cal- 
culated destinations by all correct robots between t2 and ts are less than or 
equal to Max{UD{tQ)) - 3do/2'=(-^+i)+3. 

Since robots are guaranteed to move toward their destinations by at least a 
distance 6 before they can be stopped by the scheduler, after tz, no robot will 
be located beyond Max{UD{tQ)) - min{S, 3do/2'=(-''+^)+^}. Hence by setting 
a = max{ai, 1 - 5/do, 1 - 3/2''^^+'^^+^} the lemma follows. 

The convergence proof of Algorithm 1 directly follows from Lemma 4.9 and 
Lemma 4.2. 

Theorem 4.10 Algorithm 1 solves the Byzantine convergence problem in the 
CORDA model for n> 3f under a k-bounded scheduler. 

5 Conclusions and discussions 

In this paper we consider networks of oblivious robots with arbitrary initial 

locations and no agreement on a global coordinate system. Robots obtain system 
related information only via visual sensors and some of them are Byzantine 
{i.e. they can exhibit arbitrary behavior). In this weak scenario, we studied the 
convergence problem that requires that all robots to asymptotically approach 
the exact same, but unknown beforehand, location. We focused on the class of 
cautious algorithms, which guarantees that correct robots always move inside the 
range of positions held by correct robots. In this class we proposed an optimal 
byzantine resilient solution when robots execute their actions asynchronously as 
defined in the CORDA model. That is, our solution tolerates / byzantine robots 
in 3/ + 1-sized networks, which matches previously established lower bound. 
Two immediate open problems are raised by our work: 

— Our algorithm is proved correct under bounded scheduling assumption. We 
conjecture that this hypothesis is necessary for achieving convergence in the 
class of cautious algorithms. 

— The study of asynchronous byzantine-resilient convergence in a multi-dimen- 
sional space is still open. 
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